Cybersecurity Glossary

A specification for how a system can be misused or attacked.

The level of risk that an organization is willing to accept, based on a cost-benefit analysis of implementing security controls versus the potentia...

A policy that defines the acceptable use of an organization's IT resources, including computers, networks, and internet access.

The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of ...

A threat actor that specializes in gaining initial access to organizations and selling that access to other cybercriminals, including ransomware op...

The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services;...

A list of permissions attached to a system resource that specifies which users or system processes are granted access and what operations are allowed.

Security measures designed to detect and deny unauthorized access and permit authorized access to an information system or a physical facility.

A credential that represents the authorization granted to an application or user.

The process of collecting valid user accounts through techniques such as DNS enumeration, Finger protocol, or LDAP queries.

A security mechanism that temporarily or permanently disables an account after multiple failed login attempts.

An attack where a cybercriminal gains unauthorized access to a user account, typically through stolen credentials, phishing, or session hijacking.

The requirement to track and log user and system activities to ensure users can be held responsible for their actions.

An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data, or its operations.

Software that is able to automatically carry out or trigger actions without the explicit intervention of a user.

Microsoft's directory service for Windows domain networks that provides authentication, authorization, and directory services.

The phase of an attack where the adversary directly interacts with the target system to gather information, such as port scanning or vulnerability ...

A protocol used to map IP network addresses to the hardware (MAC) addresses used by a data link protocol.

A memory protection technique that randomizes the positions of key data areas in a process's address space, making it harder to exploit buffer over...

A symmetric encryption algorithm approved by the U.S.

A sophisticated, prolonged cyber attack by well-resourced adversaries, often nation-states, targeting specific organizations.

A category of security solutions designed to detect and prevent sophisticated attacks that bypass traditional security measures.

Techniques for attacking and defending machine learning models, including adversarial examples designed to cause misclassification.

The ability of an AI or machine learning model to maintain correct behavior when subjected to adversarial inputs designed to cause misclassification or incorrect outputs. A key concern in AI-integrated application security.

An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

The practice of simulating specific threat actor behavior and TTPs to test and validate security controls.

The practice of mimicking the tactics, techniques, and procedures of real threat actors to test and validate an organization's detection and respon...

Malware that displays unwanted advertisements and may track user behavior for marketing purposes.

In cybersecurity, software that runs on a host to perform security functions such as monitoring, data collection, or policy enforcement on behalf o...

The discipline of securing autonomous AI agents that can independently perform multi-step tasks, make decisions, and interact with external systems. Addresses risks such as excessive agency, privilege escalation, and unintended actions in agentic workflows.

The risk that combining multiple pieces of non-sensitive information reveals sensitive information.

A structured adversarial testing methodology for identifying vulnerabilities, biases, and safety issues in AI and machine learning systems. Includes prompt injection testing, jailbreak attempts, model evasion, and evaluating guardrail effectiveness.

Security practices and challenges specific to artificial intelligence and machine learning systems, including model poisoning, adversarial examples...

A security discipline that continuously monitors, assesses, and hardens the security posture of AI models, training pipelines, data assets, and infere...

a cloud-based service offering artificial intelligence (AI) outsourcing

To physically separate or isolate a system from other systems or networks (verb).

A network security measure where a computer or network is physically isolated from unsecured networks.

A notification that a specific attack has been detected or directed at an organization’s information systems.

A condition where security analysts become desensitized to alerts due to high volumes of notifications, leading to missed genuine threats.

A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer.

In the NICE Framework, cybersecurity work where a person: Analyzes threat information from multiple sources, disciplines, and agencies across the I...

A list of entities that are considered trustworthy and are granted access or privileges.

A NICE Framework category consisting of specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity informat...

A security technique that identifies deviations from normal behavior patterns to detect potential threats.

an anonymous proxy is a tool that attempts to make activity on the Internet untraceable

related pairs of tokens given to users to validate their requests and prevent issue requests from attackers via the victim

Software designed to detect, prevent, and remove malicious software from computer systems.

Technologies and practices designed to detect and prevent phishing attacks, including email filtering, URL reputation checking, and user awareness ...

A security mechanism that prevents attackers from intercepting and retransmitting valid data transmissions to gain unauthorized access or repeat tr...

a set of techniques used to conceal or destroy evidence to frustrate or deceive digital forensic investigations

a technique for identifying and dropping packets that have a false source address.

A program that specializes in detecting and blocking or removing forms of spyware.

Software designed to detect, prevent, and remove malicious software from computers.

A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents.

A firewall that operates at the application layer to monitor, filter, and block HTTP/HTTPS traffic to and from a web application.

A DDoS attack targeting the application layer (Layer 7 of the OSI model) to exhaust server resources by mimicking legitimate user requests.

The practice of protecting APIs from attacks and misuse.

The process of making applications more resistant to security threats through identifying, fixing, and preventing security vulnerabilities using SA...

A security practice that allows only pre-approved applications to run on a system, blocking all unauthorized software.

the process of finding, fixing, and preventing security vulnerabilities at the application level, as part of the software development processes

An attack that forges ARP messages to associate the attacker's MAC address with a legitimate IP address, enabling MITM attacks on local networks.

A person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputat...

A comprehensive catalog of all hardware, software, and data assets in an organization.

A security mindset that operates under the assumption that adversaries have already compromised or will compromise the environment.

An encryption method using a pair of public and private keys.

In cyber context, conflict where one party has significantly different resources or capabilities than the other.

An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.

A visual representation of all possible paths an attacker could take through a network to reach a target.

The sequential phases of a cyber attack from initial reconnaissance through to data exfiltration or impact.

The manner or technique and means an adversary may use in an assault on information or an information system.

The steps that an adversary takes or may take to plan, prepare for, and execute an attack.

Similar cyber events or behaviors that may indicate an attack has occurred or is occurring, resulting in a security violation or a potential securi...

A characteristic or distinctive pattern that can be searched for or that can be used in matching to previously identified attacks.

The set of ways in which an adversary can enter a system and potentially cause damage.

A conceptual diagram showing how an asset or target might be attacked.

The path or means by which an attacker gains access to a target system.

An individual, group, organization, or government that executes an attack.

An advanced access control model that grants access based on attributes such as user properties, resource properties, and environmental conditions.

The process of identifying and confirming the source or perpetrator of a cyber attack.

A record of system activities and security events that provides evidence of who accessed what and when.

A chronological record of system activities that provides documentary evidence of the sequence of activities.

A vulnerability scan performed with valid credentials that can check for vulnerabilities from an insider's perspective, including patch levels and ...

The process of verifying the identity of a user, device, or system.

A property achieved through cryptographic methods of being genuine and being able to be verified and trusted, resulting in confidence in the validi...

The process of determining what an authenticated user or system is allowed to do.

A CISA service that enables the exchange of cyber threat indicators between the federal government and the private sector at machine speed.

Security capabilities that automatically take action against detected threats without human intervention, such as isolating endpoints or blocking IPs.

A connected group of IP networks that share a common routing policy and are run by one or more operators.

A security principle ensuring that systems and data are accessible and usable by authorized users when needed.

A hidden method of gaining unauthorized access to a system, bypassing normal authentication mechanisms.

The maximum rate of data transfer across a network path.

The intentional slowing of internet service by a network operator.

A technique used to gain information about computer systems on a network and the services running on its open ports.

The minimum level of security controls required for an information system, based on its identified needs for the protection of confidentiality, int...

The process of establishing a standard or reference point for system configurations, network traffic, or user behavior against which deviations can...

A hardened computer specifically configured to withstand attacks, placed at the edge of a network to provide controlled access.

password-hashing function based on the Blowfish cipher and presented at USENIX in 1999

A type of malware communication where compromised systems periodically contact a command and control server for instructions.

Periodic, automated communication from malware or an implant to its command-and-control (C2) server at regular intervals to signal active compromise, receive tasking, or maintain persistence. Consistent beacon intervals are a key detection indicator.

the extent to which an individual practices several types of cybersecurity measures to avoid or attenuate the types of cyber threats that they are ...

refers to the use of biometric data for authentication and access control to improve cybersecurity

making small, strategic changes to habits and behaviors to improve things like cognitive function and weight management.

use unique physical or behavioral traits like fingerprints, facial features, and voice patterns for cybersecurity authentication This method verifi...

Authentication based on unique physical or behavioral characteristics such as fingerprints, facial recognition, or iris scanning.

A systematic process of gathering near real-time biological information to detect, monitor, and characterize threats to human, animal, plant, and e...

A cryptographic attack that exploits the mathematics behind the birthday problem in probability theory.

A cryptographic attack that manipulates ciphertext bits to produce predictable changes in plaintext.

A testing methodology where the tester has no prior knowledge of the target system's internal structure.

a form of testing that is performed with no knowledge of a target system's internals

A list of entities (IP addresses, domains, applications) that are explicitly denied access or blocked.

A type of SQL injection attack where the attacker asks the database true or false questions and determines the answer based on the application's re...

A symmetric encryption algorithm that divides plaintext into fixed-size blocks and encrypts each block independently.

Blockchain is a decentralized ledger that records and verifies transactions across a network of computers.

A list of entities that are blocked or denied privileges or access.

A Windows system error screen indicating a critical system failure.

A group that defends an enterprise's information systems when mock attackers (i.e., the Red Team) attack, typically as part of an operational exerc...

an attack in which someone sends unsolicited messages to a Bluetooth-enabled device

a hacking technique in which a hacker accesses a wireless device through a Bluetooth connection

A type of virus that infects the master boot record or volume boot record of a storage device, executing before the operating system loads.

A bootkit is a type of malware that infects a computer's boot process, giving the attacker control over the system.

A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote t...

The controller of a botnet that, from a remote location, provides direction to the compromised computers in the botnet.

A network of compromised computers controlled by an attacker through a command and control (C2) infrastructure.

The monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthoriz...

Automated tools that continuously simulate attacks against an organization's security controls to identify gaps and validate defensive capabilities.

A network device that connects two or more network segments at the data link layer, filtering and forwarding frames based on MAC addresses.

A policy allowing employees to use personal devices for work purposes.

A cloud security model where customers manage their own encryption keys rather than relying on the cloud provider's key management.

A security technique that runs web browsing activities in an isolated environment separate from the endpoint, preventing malicious web content from...

An attack that systematically attempts all possible combinations of passwords or cryptographic keys until the correct one is found.

Security mechanisms that detect and prevent brute force attacks, including account lockout policies, progressive delays, CAPTCHAs, and IP-based rat...

an attack is a method that uses trial and error to crack passwords, login credentials, and encryption keys

A programming vulnerability where data written to a buffer exceeds its capacity, overwriting adjacent memory.

An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.

A program where organizations offer rewards to security researchers for responsibly disclosing vulnerabilities.

An organized program where organizations offer monetary rewards to security researchers who responsibly disclose vulnerabilities.

Security measures integrated into continuous integration/continuous deployment (CI/CD) pipelines to detect and prevent vulnerabilities in code.

A set of principles, practices, and tools to design, develop, and evolve information systems and software that enhance resistance to vulnerabilitie...

The large-scale collection of digital communications data.

A strategic and tactical capability to continue critical operations during and after a disruptive incident.

A sophisticated email scam targeting businesses that work with foreign suppliers or regularly perform wire transfers.

A process that identifies and evaluates the potential effects of natural and man-made events on business operations.

A flaw in the design or implementation of an application that allows an attacker to manipulate legitimate business processes for malicious purposes.

An organizational policy that allows employees to use personal devices for work.

An attack that corrupts cached data to serve malicious content to multiple users.

Communication initiated by malware to contact its command and control server.

A digital tripwire that alerts defenders when accessed.

The means to accomplish a mission, function, or objective.

Completely Automated Public Turing test to tell Computers and Humans Apart.

A web page that a user is required to view and interact with before being granted broader access to a network.

the fabrication of a false online identity by a cybercriminal for the purposes of deception, fraud, or exploitation

A California state law that gives consumers rights over their personal information and requires businesses to implement data protection measures.

A trusted entity that issues and manages digital certificates.

A security mechanism that associates a host with its expected X.509 certificate or public key.

A framework for monitoring and auditing the issuance of TLS certificates.

A documented process that tracks the handling and transfer of evidence to maintain its integrity and admissibility in legal proceedings.

A sequence of multiple exploits chained together to achieve a goal that no single exploit could accomplish alone.

A systematic approach to managing changes in IT systems to minimize risk and ensure security controls remain effective during transitions.

The foundational model of information security consisting of Confidentiality (preventing unauthorized access), Integrity (ensuring data accuracy an...

Security solutions that manage and govern identities, access rights, and permissions across multi-cloud environments to enforce least privilege.

An algorithm used for the encryption and decryption of data.

A mode of operation for block ciphers where each block of plaintext is XORed with the previous ciphertext block before being encrypted, providing b...

A set of cryptographic algorithms used together to secure network communications.

Data or information in its encrypted form.

A set of prioritized best practices for defending against cyber attacks, developed by the Center for Internet Security.

The outer layer of fiber optic cable that confines light within the core.

A corporate directive that specifies how employees should leave their working space when they leave the office.

The final phase of incident response involving restoring systems to normal operation, removing malware artifacts, and implementing preventive measu...

A web application attack that tricks users into clicking hidden elements by overlaying invisible frames or buttons over legitimate content.

refers to everything in a web application that is displayed or takes place on the client (end user device) This includes what the user sees, such a...

A security solution that sits between users and cloud services to monitor activity, enforce policies, and prevent data exfiltration.

A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storag...

A cloud-native security solution that provides real-time threat detection, investigation, and response across cloud workloads, identities, APIs, and s...

Encrypting data before uploading it to the cloud to ensure confidentiality even if the cloud provider is compromised.

A security solution that manages and governs identities, access rights, and permissions across cloud and multi-cloud environments. Detects over-provisioned access and enforces least-privilege policies at scale.

The security considerations and practices involved in moving applications, data, and infrastructure from on-premises to cloud environments while ma...

A non-profit organization that defines best practices for securing cloud computing environments.

A security solution that continuously monitors cloud configurations and identifies misconfigurations, compliance violations, and security risks in ...

A security solution that protects cloud workloads (VMs, containers, serverless) from vulnerabilities and threats.

An integrated platform that provides comprehensive protection for cloud-native applications, including code scanning, runtime protection, and incid...

A framework for IT governance and management that helps organizations align IT with business objectives.

An attack technique where an attacker introduces malicious code into a vulnerable application.

The process of examining source code for security vulnerabilities, logic errors, and coding standard violations.

The practice of digitally signing software code to verify its authenticity and integrity.

A NICE Framework category consisting of specialty areas responsible for specialized denial and deception operations and collection of cybersecurity...

In the NICE Framework, cybersecurity work where a person: Executes collection using appropriate strategies and within the priorities established th...

A collaborative security approach where organizations share threat information and defensive techniques to strengthen defense against adversaries a...

In cryptography, a situation where two different inputs produce the same hash output.

Infrastructure used by attackers to communicate with and control compromised systems.

An attack that exploits vulnerabilities in applications that pass unsanitized user input to system commands, allowing execution of arbitrary comman...

Widely available, off-the-shelf malware that is used by many threat actors.

An international standard (ISO/IEC 15408) for evaluating the security properties of IT products.

A publicly disclosed vulnerability assigned a unique identifier.

A framework for rating the severity of vulnerabilities from 0 to 10 based on factors like attack vector, complexity, and impact.

A list of software and hardware weaknesses that can lead to vulnerabilities.

An alternative security measure employed when a primary control cannot be implemented.

The state of adhering to security policies, standards, frameworks, and regulations applicable to an organization.

A structured set of guidelines and best practices that organizations follow to meet regulatory requirements and industry standards for security and...

The actions taken to defend against unauthorized activity within computer networks.

In the NICE Framework, cybersecurity work where a person: Uses defensive measures and information collected from a variety of sources to identify, ...

In the NICE Framework, cybersecurity work where a person: Tests, implements, deploys, maintains, reviews, and administers the infrastructure hardwa...

A security model that grants access based on real-time evaluation of contextual conditions such as device health, location, and risk level.

A security principle ensuring that information is accessible only to authorized individuals and protected from disclosure.

The gradual divergence of system configurations from their documented or intended state over time.

The process of documenting, tracking, and controlling changes to systems and software.

The effect of an event, incident, or occurrence.

The process of analyzing container images for known vulnerabilities and misconfigurations before deployment.

The practice of securing containerized applications through image scanning, runtime protection, and orchestration security.

A method of virtualization where applications run in isolated user spaces called containers, sharing the host OS kernel.

An incident response phase focused on limiting the scope and impact of a security incident.

The process of monitoring and restricting access to web content based on predefined policies.

An HTTP response header that allows website administrators to control resources the browser is allowed to load.

A document that sets forth procedures for the continued performance of core capabilities and critical operations during any disruption or potential...

Security practices integrated into CI/CD pipelines, including automated code scanning, dependency checking, container image scanning, and security ...

The ongoing surveillance of an organization's security posture through automated tools and processes.

refers to the methods used to bypass or spoof biometric security systems

monitoring other competitor organizations and nations to gather information

An action, device, procedure, or technique that reduces a threat, vulnerability, or attack by eliminating or preventing it, or by minimizing the ha...

An unauthorized communication path that allows the transfer of information in a manner that violates the system's security policy.

The technique of extracting credentials from operating system memory, registry, or files.

The process of collecting user credentials through phishing, keylogging, or other techniques.

The practice of regularly changing passwords, API keys, certificates, and other credentials to limit the window of opportunity for compromised cred...

An attack that uses previously compromised username and password pairs to gain unauthorized access to accounts.

a class of malware designed specifically to automate cybercrime

The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact ...

A list maintained by a Certificate Authority of digital certificates that have been revoked before their scheduled expiration date and should no lo...

A browser security mechanism that controls how web pages from one origin can request resources from another origin.

An attack that tricks authenticated users into performing unwanted actions on websites where they are logged in.

A web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

A browser vulnerability that allows scripts from a less privileged zone to execute in a more privileged zone, potentially gaining access to local s...

obtain (information or input into a particular task or project) by enlisting the services of a large number of people, either paid or unpaid, typic...

A cloud-native endpoint security platform that combines EDR, threat intelligence, and managed threat hunting capabilities.

The operations performed in defeating or circumventing cryptographic protection of information by applying mathematical techniques and without an i...

a digital currency in which transactions are verified and records maintained by a decentralized system using cryptography, rather than by a central...

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

A fixed-size output produced by a hash function that uniquely represents input data.

The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication, and data origin au...

Malware or code that hijacks computing resources to mine cryptocurrencies without the user's knowledge or consent.

The mathematical science that deals with cryptanalysis and cryptography.

is malware that encrypts data on the targets device and demands a ransom to restore it

Cryptomining is an online threat that hides on a computer or mobile device and uses the machine’s resources to “mine” cryptocurrencies.

In the NICE Framework, cybersecurity work where a person: Addresses problems, installs, configures, troubleshoots, and provides maintenance and tra...

A deliberate attempt to breach the security of a computer system, network, or application to steal data, cause damage, or disrupt operations.

The process of identifying the perpetrator of a cyber attack based on technical evidence, behavioral patterns, and intelligence analysis.

A proactive defense strategy that uses decoys, honeypots, and deceptive data to mislead attackers, detect their presence, and gather intelligence a...

The interconnected information infrastructure of interactions among persons, processes, data, and information and communications technologies, alon...

A planned event during which an organization simulates a cyber disruption to develop or test capabilities such as preventing, detecting, mitigating...

The fundamental practices and steps users and organizations take to maintain system health and improve online security.

An electronic information and communications systems and services and the information contained therein.

Insurance coverage designed to help organizations mitigate financial losses from cyber incidents including data breaches, ransomware, and business ...

A framework developed by Lockheed Martin that describes the stages of a cyber attack: Reconnaissance, Weaponization, Delivery, Exploitation, Instal...

The process of mapping observed attacker activity to the phases of the Cyber Kill Chain framework to understand attack progression and identify def...

In the NICE Framework, cybersecurity work where a person: Performs activities to gather evidence on criminal or foreign intelligence entities in or...

in the NICE Framework, cybersecurity work where a person: Performs in-depth joint targeting and cyber planning process.

A virtual environment used for cybersecurity training, testing, and exercises.

An organization's ability to continuously deliver intended outcomes despite adverse cyber events.

The practice of protecting computer systems and networks from digital attacks.

Any potential malicious attack that seeks to unlawfully access data, disrupt digital operations, or damage information systems.

Evidence-based knowledge about existing or emerging threats to an organization's assets.

The collecting, processing, organizing, and analyzing data into actionable information that relates to capabilities, opportunities, actions, and in...

an emerging field that addresses the intersection of cybersecurity and biosecurity, focusing on protecting biological data, processes, and systems ...

a malicious and deliberate attempt to breach the information system

or cyber spying, is a type of cyberattack in which an unauthorized user attempts to access sensitive or classified data or intellectual property (I...

the process of collecting, analyzing, and preserving digital evidence to investigate cybercrimes and other incidents

the process of hardening technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks

The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are p...

a number of roles that have cybersecurity responsibilities which typically form only part of their overall responsibilities within an organization.

knowing what security threats are and acting responsibly to avoid potential risks.

refers to anything that has the potential to cause serious harm to a computer system A cyberthreat is something that may or may not happen, but has...

typically defined as a set of actions by a nation or organization to attack countries or institutions' computer network systems with the intention ...

an individual who participates in cyberwarfare, motivated either by personal, patriotic, or religious reasons, but not due to professional requirement

An overlay network that requires specific software or authorization to access.

A part of the internet that requires special software (like Tor) to access and is often associated with illegal activities, including trading stole...

In the NICE Framework, cybersecurity work where a person: Develops and administers databases and/or data management systems that allow for the stor...

The process of gathering and combining data from different sources, so that the combined data reveals new information.

Data stored on physical media such as hard drives, databases, or cloud storage.

Encryption applied to data stored on disk, in databases, or in cloud storage to protect it from unauthorized access if physical security is comprom...

The process of creating copies of data that can be restored in case of data loss, corruption, or ransomware attack.

The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or se...

The process of organizing data into categories based on sensitivity and criticality.

The individual or department responsible for implementing security controls and maintaining data on behalf of the data owner.

A network appliance that allows data to travel in only one direction, physically preventing data exfiltration from protected networks while allowin...

The process of encoding stored data so it cannot be read without the proper decryption key.

A symmetric-key algorithm for encryption published by NIST.

The unauthorized transfer of data from an organization's systems.

The overall management of data availability, usability, integrity, and security in an organization.

Data actively moving from one location to another, such as across the internet or through a private network.

The property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner.

Security controls and practices for protecting large repositories of raw data stored in their native format.

The result of unintentionally or accidentally deleting data, forgetting where it is stored, or exposure to an unauthorized party.

A security solution that detects and prevents unauthorized transmission or storage of sensitive data.

The process of obscuring specific data within a database to protect it from unauthorized access while maintaining its usability for testing or deve...

The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.

The individual or entity with the authority and responsibility for specifying the security controls for data they manage and determining who has ac...

An adversarial attack that manipulates training data to compromise the integrity of a machine learning model. Can introduce backdoors, degrade model accuracy, or cause targeted misclassifications in AI-powered security tools.

The process of safeguarding data from loss, theft, and corruption through various security controls and best practices.

Requirements specifying that data must be stored and processed within a specific geographic location or jurisdiction, driven by regulatory complian...

A security discipline that continuously discovers, classifies, and monitors sensitive data across cloud, hybrid, and multi-cloud environments, assessi...

The concept that data is subject to the laws and governance of the country where it is collected or stored.

The deliberate or intentional act of stealing of information.

A security technology that monitors and analyzes database activity to identify unauthorized or suspicious actions, independent of native database a...

a collaborative data management practice focused on improving the communication, integration and automation of data flows between data managers and...

a cloud database offering that provides customers with access to a database without having to deploy and manage the underlying infrastructure

a cybercrime in which the attacker floods a target with internet traffic to prevent users from accessing connected online services and sites

Distributed Denial of Service attack that floods a target with traffic from multiple sources to overwhelm its capacity and make it unavailable.

The techniques and technologies used to resist or reduce the impact of distributed denial-of-service attacks, including traffic scrubbing, rate lim...

an information security strategy to strengthens an organization's security posture by implementing multiple levels of protection, including inheren...

In cybersecurity, a legitimate web service used by threat actors to exchange information covertly, such as storing C2 instructions in public blogs,...

To revoke the authentication of; to cause no longer to be authenticated.

A type of denial-of-service attack targeting wireless networks by sending forged deauthentication frames, forcing devices to disconnect from the ac...

Security tools that deploy decoy systems, credentials, and data to detect and deflect attackers.

To convert enciphered text to plain text by means of a cryptographic system.

To convert encoded text to plain text by means of a code.

A generic term encompassing decode and decipher.

The process of converting encrypted ciphertext back to plaintext using a decryption key.

A tool, or set of tools, used to decrypt encrypted files.

A form of network packet filtering that examines the data payload of packets as they pass through a checkpoint, enabling detailed traffic analysis ...

Synthetic media created using deep learning techniques to create realistic but fake video or audio.

A security strategy that employs multiple layers of defensive measures to protect critical information and systems.

A physical or logical network segment that contains external-facing services while protecting internal networks.

A perimeter network segment that separates an organization's internal network from untrusted external networks.

An attack that prevents or impairs the authorized use of information system resources or services.

A supply chain attack that exploits how package managers resolve dependencies, tricking build systems into downloading malicious packages from publ...

The process of tracking, updating, and managing third-party libraries and dependencies used in software projects.

The practice of designing, building, and maintaining detection logic and rules to identify threats.

A phishing technique that abuses the OAuth 2.0 Device Authorization Grant flow (RFC 8628) to intercept authentication tokens, routing victims through ...

the combination of cultural philosophies, practices, and tools that increases an organization's ability to deliver applications and services

The integration of security practices into the DevOps methodology, ensuring that security is considered at every stage of the software development ...

an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle

A threat analysis framework that examines adversary, capability, infrastructure, and victim in relation to each other.

A password cracking technique that systematically enters every word in a dictionary as a password.

A cryptographic algorithm for secure key exchange over insecure channels.

An electronic document that uses a digital signature to bind a public key with an identity.

The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.

A discipline combining digital forensics investigation with incident response procedures to detect, investigate, and remediate cyber attacks.

A form of access control technology to protect and manage use of digital content or devices in accordance with the content or device provider's int...

A cryptographic technique that verifies the authenticity and integrity of a message or document.

A virtual replica of a physical system used for simulation and analysis.

A web vulnerability that allows attackers to access files outside the intended directory by manipulating file path references.

A set of policies and procedures for recovering from a major failure or disaster.

A documented set of procedures to recover and protect IT infrastructure in the event of a disaster.

One who propagates disinformation

Full disk encryption technology that encrypts every bit of data on a disk drive.

Forensic analysis of storage devices to recover deleted files, unallocated space data, and evidence of system activity.

An event which causes unplanned interruption in operations or functions for an unacceptable length of time.

a category of malware designed to suspend operations within a target through the compromise of the availability, integrity, and confidentiality of ...

A denial of service technique that uses numerous systems to perform the attack simultaneously.

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system.

An email authentication method that uses digital signatures to verify that an email was sent from an authorized server and has not been modified in...

An attack technique where adversaries place a malicious DLL alongside a legitimate executable that loads it due to the Windows DLL search order, allow...

An email authentication protocol that builds on SPF and DKIM to protect email domains from unauthorized use, including phishing and email spoofing.

An attack that corrupts a DNS resolver's cache, causing it to return incorrect IP addresses and redirecting users to malicious websites without the...

A technique where attackers encode stolen data in DNS queries to bypass traditional security controls.

A protocol that encrypts DNS queries using HTTPS to prevent eavesdropping and manipulation of DNS data.

A DNS server configured to supply false information to prevent the use of domain names associated with malicious activity.

An attack that corrupts DNS cache or responses to redirect users to attacker-controlled IP addresses.

A technique that encodes data within DNS queries and responses to bypass network security controls.

A suite of extensions to DNS that adds authentication to DNS responses, protecting against DNS spoofing and cache poisoning attacks.

generates a list of similarly looking domain names for a given domain name and performs DNS queries for them (A, AAAA, NS and MX) which can be used...

A server that responds to authentication requests and verifies users on a Windows domain network.

A technique that uses different domain names at different layers of communication to hide the true destination of a connection.

An algorithm used by malware to periodically generate a large number of domain names for use as command and control rendezvous points.

The system that translates human-readable domain names into IP addresses.

Using search techniques to hack into vulnerable sites or search for information that is not available in public search results.

A ransomware tactic where attackers both encrypt data and exfiltrate it, threatening to publish stolen data if the ransom is not paid.

An attack that forces a system to use a less secure version of a protocol or weaker cipher suite, making it easier for the attacker to exploit know...

The period during which a system, network, or service is unavailable.

the act of publicly providing personally identifiable information about an individual or organization, usually via the Internet and without their c...

Doxxing can be illegal, but its legality depends on the specific circumstances, such as the intent behind it and the jurisdiction.

A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to min...

An attack where malware is automatically downloaded and installed on a user's system when visiting a compromised website, often without user intera...

Malware designed to download and install other malware payloads on compromised systems.

A computer with two network interfaces connected to different networks.

An attack exploiting blockchain durable nonce features to pre-sign transactions that remain valid indefinitely, enabling adversaries to bypass time-ba...

The time between initial compromise and detection of an intrusion.

A method of analyzing software by executing programs in real-time to identify vulnerabilities, malicious behavior, or runtime errors.

An automated security testing approach that executes an application and analyzes its behavior to identify vulnerabilities.

The automated, on-the-fly changes of an information system's characteristics to thwart actions of an adversary.

Network traffic that flows laterally between servers or applications within a data center, as opposed to north-south traffic entering or leaving th...

criminal activity that involves the use of computers or networks such as the internet

In the NICE Framework, cybersecurity work where a person: Conducts training of personnel within pertinent subject domain; develop, plan, coordinate...

The practice of monitoring and controlling outbound network traffic to prevent data exfiltration, malware communication, and unauthorized connections.

A security solution built on the Elastic Stack that provides SIEM, endpoint security, and cloud security capabilities with unified visibility acros...

Any mark in electronic form associated with an electronic document, applied with the intent to sign the document.

An asymmetric encryption method based on elliptic curves that provides equivalent security to RSA with smaller key sizes.

Techniques to verify the legitimacy of email senders, including SPF, DKIM, and DMARC.

A denial-of-service attack that floods a target email address with a massive volume of messages, making the mailbox unusable and potentially crashi...

A server or service that filters incoming and outgoing email for spam, malware, phishing attempts, and policy violations before delivery to the rec...

Technologies and practices for protecting email accounts and communications from unauthorized access, phishing, malware, and data loss.

Security considerations specific to embedded computing devices such as IoT devices, medical equipment, and industrial controllers.

To convert plaintext to ciphertext by means of a cryptographic system.

A protected network segment with defined boundaries and security policies.

To convert plaintext to ciphertext by means of a code.

The generic term encompassing encipher and encode.

The process of converting plaintext into ciphertext using cryptographic algorithms.

A piece of information used to encrypt or decrypt data through a cryptographic algorithm.

An encryption method where only the sender and recipient can read messages, with encryption occurring at the endpoints rather than on intermediate ...

Any device that connects to a network, including computers, mobile devices, servers, and IoT devices.

A security tool that monitors endpoints for suspicious activity and enables rapid response to detected threats.

The process of securing endpoints by reducing attack surface, disabling unnecessary services, enforcing security configurations, and implementing p...

An integrated security solution deployed on endpoint devices to prevent file-based malware, detect malicious activity, and provide investigation an...

Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhan...

A comprehensive approach to securing and managing mobile devices, applications, and content used in enterprise environments.

A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision m...

The process of extracting information about users, shares, services, and configurations from a target system during the reconnaissance phase of an ...

that the app has reached the end of its useful life.

An incident response phase focused on removing the threat from the environment.

When an attacker gains higher access rights than authorized, either through vertical escalation (admin access) or horizontal escalation (accessing ...

Authorized testing of computer systems and networks to identify security vulnerabilities before malicious actors can exploit them.

An observable occurrence in an information system or network.

The process of analyzing and connecting multiple security events from different sources to identify patterns that indicate a security incident or a...

The process of gathering and preserving digital artifacts and logs as evidence during incident investigation.

A rogue wireless access point that mimics a legitimate network to trick users into connecting.

A vulnerability in LLM-powered applications where an AI agent is granted more permissions, autonomy, or capabilities than necessary for its intended function, potentially allowing unintended or harmful actions. Ranked in the OWASP Top 10 for LLM Applications.

The unauthorized transfer of information from an information system.

A piece of code or technique used to take advantage of a vulnerability and compromise a system.

A toolkit that automates the exploitation of client-side vulnerabilities, typically targeting web browsers and plugins.

In the NICE Framework, cybersecurity work where a person: Analyzes collected information to identify vulnerabilities and potential for exploitation.

A condition or instance where a system is susceptible to loss or damage.

A continuous process of identifying, prioritizing, and remediating security exposures across an organization's attack surface.

An advanced security platform that integrates EDR with network, cloud, and application data to provide comprehensive threat detection and response ...

The continuous discovery, monitoring, and management of an organization's internet-facing assets to identify vulnerabilities and reduce exposure to...

a cloud-computing service that allows customers to execute code in response to events, without managing the complex infrastructure

A design principle where system defaults to a secure state in the event of failure.

The automatic switching to a redundant system, server, or network upon failure of the currently active system.

The inability of a system or component to perform its required functions within specified performance requirements.

A deception technique in which a threat actor deliberately mimics the TTPs, malware signatures, or infrastructure patterns of another known threat actor or nation-state to obscure true attribution and mislead incident responders.

A failure to detect an actual security threat.

A security alert that incorrectly indicates a threat when none exists.

A system of trust between multiple organizations that allows users to use the same credentials to access resources across organizational boundaries.

A U.S.

a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products...

A security control that monitors and detects changes to critical system files, configurations, and content.

A standard network protocol used for transferring files between a client and server.

An attack that operates entirely in memory without writing malicious files to disk.

Malware that operates in system memory without writing files to disk, evading traditional file-based detection methods.

A network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

Low-level software embedded in hardware devices that controls device functions.

an ethical hacking technique used to gather as much data as possible about a specific targeted computer system, an infrastructure and networks to i...

The process of collecting, preserving, analyzing, and presenting digital evidence to reconstruct security incidents and support legal proceedings.

An automated software testing technique that provides random, unexpected, or malformed data as input to a program to discover bugs, crashes, and se...

an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabili...

An automated software testing technique that provides random, malformed, or unexpected input to discover vulnerabilities.

An assessment comparing current security posture against a desired state or framework requirements.

A network node that serves as an access point to another network, often involving protocol conversion.

A European Union regulation that protects personal data and privacy of EU residents.

to set up triggers so that when a device such as an internet-connected smartphone enters a defined geographical boundary, the user gets an alert

a technique allowing to locate a web user based on their IP address

the distribution of mission-critical components or infrastructures across multiple geographic locations Geo-redundancy acts as a safety in case of ...

A forged Kerberos TGT (Ticket Granting Ticket) created using a stolen KRBTGT account hash, granting the attacker unlimited access to any resource i...

A Kerberos-based attack where an attacker creates a forged Ticket Granting Ticket using the KRBTGT account hash, enabling unrestricted access to an...

The processes and structures for making and enforcing decisions, managing risk, and ensuring compliance with policies.

Software that falls between legitimate software and malware.

An integrated technology platform that helps organizations manage governance, risk, and compliance activities in a unified manner.

A testing methodology where the tester has partial knowledge of the target system.

Commercial services offered by individuals or groups who perform cyber attacks for paying clients.

A gathering of individuals from various backgrounds and different stages in their careers (hobbyist to professionals) to solve problems of common i...

An unauthorized user who attempts to or gains access to an information system.

A philosophical approach to computing that emphasizes sharing, openness, decentralization, free access to computers, and world improvement.

The process of securing a system by reducing its attack surface through disabling unnecessary services, applying patches, configuring security sett...

A dedicated crypto processor that manages digital keys, performs encryption and decryption, and provides strong authentication.

A mathematical function that converts an input into a fixed-size output.

A numeric value resulting from applying a mathematical algorithm against a set of data such as a file.

A cryptographic process that converts input data into a fixed-size string of characters.

An open-source post-exploitation command and control framework used by threat actors as an alternative to Cobalt Strike, providing features such as pa...

A natural or man-made source or cause of harm or difficulty.

A US federal law establishing national standards for protecting sensitive patient health information from disclosure without patient consent or kno...

A critical vulnerability in the OpenSSL cryptographic software library (CVE-2014-0160) that allowed stealing of information protected by TLS encryp...

An intrusion detection system that monitors and analyzes the internals of a computing system, including system calls, file modifications, and log f...

A system design approach that ensures a certain degree of operational continuity during a given measurement period.

A U.S.

An encryption scheme that allows computations to be performed on encrypted data without decrypting it first, producing results identical to those p...

a network set up with intentional vulnerabilities hosted on a decoy server to attract hackers

a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information

a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information

A fake piece of data (credential, file, database record) planted to detect unauthorized access.

is data that looks attractive to cyber criminals but is actually false or of no value a fake IT resource created and positioned in a system or netw...

A security agent installed on a host that monitors system calls, file system modifications, and network activity to detect and prevent malicious be...

A software firewall installed on individual computers that filters incoming and outgoing network traffic for that specific host based on a defined ...

An intrusion detection system that monitors a single host for suspicious activity by analyzing system logs, file changes, and process behavior.

A web application vulnerability that allows attackers to inject arbitrary HTTP response headers by inserting CRLF characters into response data.

A web security policy mechanism that forces browsers to interact with websites only over HTTPS connections, protecting against protocol downgrade a...

The secure version of HTTP that uses TLS encryption to protect data exchanged between a web browser and website.

The practice of decrypting, inspecting, and re-encrypting HTTPS traffic at a security appliance to detect threats hiding within encrypted communica...

Intelligence gathered through human sources such as informants, interviews, and observations.

Ransomware attacks that involve active human involvement by attackers who manually navigate networks, escalate privileges, and deploy ransomware af...

An IT environment that combines on-premises infrastructure with public cloud services, allowing data and applications to move between environments.

Security measures protecting the hypervisor layer in virtualized environments.

The process of managing and provisioning an organization’s IT infrastructure using machine-readable configuration files, rather than employing phys...

A man-made threat achieved through exploitation of the information and communications technology (ICT) system’s supply chain, including acquisition...

a cloud-based identity and access management (IAM) offered by a third-party provider

A security framework that manages user identities and their access to resources.

A system that creates, maintains, and manages identity information for principals and provides authentication services to relying applications with...

The fraudulent acquisition and use of another person's private identifying information, typically for financial gain.

Security solutions focused on detecting and responding to identity-based attacks such as credential theft, privilege escalation, and account takeover.

Software that automates the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible inc...

An international standard for Industrial Control Systems (ICS) security, providing requirements and procedures for securing critical infrastructure...

the collection of sensors, instruments and autonomous devices connected through the internet to industrial applications

The practice of hiding secret data within an image file.

Backup data that cannot be modified, deleted, or encrypted by ransomware.

An approach where servers and infrastructure components are never modified after deployment.

An attack type targeted phishing attack where a malicious actor pretends to be someone else or other entities to steal sensitive data

Trust granted automatically based on network location or other static attributes without continuous verification.

An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the...

The process of categorizing security incidents by type, severity, and priority to ensure appropriate response.

The person responsible for overall management of an incident response operation.

The management and coordination of activities associated with an actual or potential occurrence of an event that may result in adverse consequences...

A documented procedure for responding to specific types of security incidents.

The activities that address the short-term, direct effects of an incident and may also support short-term recovery.

A formal document outlining procedures for detecting, responding to, and recovering from security incidents.

An occurrence or sign that an incident may have occurred or may be in progress.

Proactive indicators that focus on detecting attacker intent and behavior rather than specific artifacts.

Observable artifacts or evidence of a security incident, such as IP addresses, domain names, file hashes, or email addresses.

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infr...

a high-speed, low-latency interconnect standard used in high-performance computing (HPC), supercomputers, and AI data centers

Any information technology, equipment, or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data...

The measures that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality.

In the NICE Framework, cybersecurity work where a person: Oversees, evaluates, and supports the documentation, validation, and accreditation proces...

Technology that controls how documents and emails can be used by restricting actions such as copying, printing, forwarding, and editing even after ...

The practice of protecting information and systems from unauthorized access, modification, and disruption.

An aggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information.

An exchange of data, information, and/or knowledge to manage risks or respond to incidents.

A non-profit organization that provides a central resource for gathering and sharing information on cyber threats within specific industry sectors.

The ability of an information system to: (1) continue to operate under adverse conditions or stress, even if in a degraded or debilitated state, wh...

In the NICE Framework, cybersecurity work where a person: Oversees the information assurance program of an information system in or outside the net...

Any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.

the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection

A cloud service model providing virtualized computing resources over the internet, including VMs, storage, and networking.

The practice of managing and provisioning infrastructure through machine-readable definition files rather than manual processes.

Security practices for scanning and securing infrastructure-as-code templates (Terraform, CloudFormation) for misconfigurations and compliance viol...

The practice of monitoring and restricting inbound network traffic to block unauthorized or potentially malicious packets from entering the network.

The first technique used by an attacker to gain a foothold in a target environment.

A cybercriminal who specializes in gaining unauthorized access to corporate networks and selling that access to other threat actors, particularly r...

The process of ensuring that user-supplied data meets expected criteria before processing.

A vulnerability that occurs when untrusted data is deserialized without proper validation, allowing attackers to execute arbitrary code.

A person or group of persons within an organization who pose a potential risk through violating security policies.

A security risk that originates from within the organization — employees, former employees, contractors, or business associates who misuse authoriz...

The structured approach that enables an enterprise or organization to share risk information and risk analysis and to synchronize independent yet c...

A security principle ensuring that data and systems are accurate, complete, and have not been altered by unauthorized parties.

The structured process through which raw data is transformed into actionable threat intelligence, comprising iterative phases: Direction (requirements), Collection, Processing, Analysis, Dissemination, and Feedback.

The collaborative exchange of cyber threat information—including indicators, TTPs, actor profiles, and context—among organizations or communities to improve collective detection, analysis, and response capabilities. Governed by frameworks such as TLP and facilitated by ISACs, ISAOs, and platforms like MISP.

A security approach that prioritizes actions based on threat intelligence and risk analysis rather than random or firefighting responses.

A state of mind or desire to achieve an objective.

A security testing approach that combines SAST and DAST, instrumenting applications to provide detailed insight into vulnerabilities.

A protocol used to set up security associations in the IPSec protocol suite.

The network of physical devices, vehicles, and appliances embedded with sensors and connectivity.

The ability of two or more systems or components to exchange information and to use the information that has been exchanged.

An unauthorized act of bypassing the security mechanisms of a network or information system.

The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has...

A network security device that monitors network traffic for suspicious activity and alerts administrators when potential intrusions are detected.

Similar to IDS but capable of automatically blocking or preventing detected attacks.

A grouped set of adversarial behaviors, resources, and infrastructure believed to be orchestrated by a single threat actor or group with common objectives. A core STIX 2.1 domain object that links campaigns, malware, and tools to a threat actor over time.

a NICE Framework category consisting of specialty areas responsible for the investigation of cyber events and/or crimes of IT systems, networks, an...

A systematic and formal inquiry into a qualified threat or incident using digital forensics and perhaps other traditional criminal inquiry techniqu...

a clue that a malicious entity has gained, or is attempting to gain, unauthorised access to the network or assets connected to the network

refers to the series of behaviors that a cybercriminal exhibits prior to executing a cyberattack.

clues and evidence of a data breach

Security practices for Internet of Things devices and networks, addressing unique challenges of resource-constrained embedded systems.

A numerical label assigned to each device connected to a computer network.

The creation of IP packets with a forged source address to impersonate another system or hide the origin of an attack.

a set of communication rules or protocols for setting up secure connections over a network Internet Protocol (IP) is the common standard that deter...

A voluntary, non-sector-specific organization established to gather, analyze, and share cybersecurity threat information and best practices across industries. Authorized under Executive Order 13691 as a complement to sector-specific ISACs.

An international standard for information security management systems (ISMS).

An international standard for establishing, implementing, and maintaining an information security management system (ISMS).

The process of removing manufacturer restrictions on mobile devices to gain root access and install unauthorized software.

A standard for creating digitally signed tokens that assert claims about users.

A hardened intermediary system used to access and manage devices in a separate security zone.

A privileged access management approach that grants temporary, time-limited access to resources only when needed, automatically revoking access aft...

An attack technique that extracts service account credential hashes from Active Directory for offline cracking.

A network authentication protocol that uses tickets to allow nodes to prove their identity securely.

An arrangement where cryptographic keys are held in escrow by a trusted third party, allowing authorized access to encrypted data under specific ci...

The process of managing cryptographic keys throughout their lifecycle, including generation, distribution, storage, rotation, and destruction.

A cloud service that securely generates, stores, and manages cryptographic keys used for encryption.

In security, measurable values used to evaluate the effectiveness of security programs.

A metric used to provide an early signal of increasing risk exposure.

Malware or hardware device that records keyboard inputs to capture passwords and sensitive information.

Repositories that contain cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS

A military concept adapted for cybersecurity that describes the stages of a cyber attack from reconnaissance to actions on objectives.

A mechanism built into software or systems that can immediately disable or shut down functionality.

Malware designed to cause physical harm or endanger human life by targeting critical infrastructure such as healthcare, water treatment, or transpo...

In the NICE Framework, cybersecurity work where a person: Manages and administers processes and tools that enable the organization to identify, doc...

Security measures for protecting Kubernetes orchestration platforms and containerized workloads.

A security practice that identifies misconfigurations and compliance violations in Kubernetes clusters by monitoring pods, namespace policies, contain...

an IT architectural model for centrally ingesting and collecting any type of log files coming from any given source or location such as servers, ap...

a design and programming philosophy that focuses on formally correct and verifiable input handling throughout all phases of the software developmen...

Security considerations for large language models including prompt injection, model extraction, and data leakage.

Techniques used by attackers to move through a network after initial access, pivoting between systems to reach target data or assets.

An attack that exploits LDAP query construction vulnerabilities by injecting malicious LDAP syntax.

A security principle that restricts user and system access rights to the minimum necessary to perform required functions.

In the NICE Framework, cybersecurity work where a person: Provides legally sound advice and recommendations to leadership and staff on a variety of...

The post-incident review phase where an organization documents what happened, what went well, what could be improved, and action items to strengthe...

An attack methodology where adversaries leverage legitimate cloud-native administrative tools, APIs, identity systems, and management consoles to cond...

An attack technique that uses legitimate system tools and features (PowerShell, WMI, certutil) to carry out malicious activities, avoiding detectio...

The process of collecting log data from multiple sources into a centralized system for analysis, correlation, and retention.

The process of collecting, storing, analyzing, and retaining log data from various sources for security monitoring, compliance, and forensic invest...

A critical remote code execution vulnerability (CVE-2021-44228) in the Apache Log4j logging library.

Malicious code that remains dormant until a specific trigger condition is met, then executes a harmful action.

A curated list of legitimate Windows binaries and scripts that can be abused for malicious purposes.

A legitimate binary already present on a target operating system—such as certutil.exe, mshta.exe, or regsvr32.exe on Windows—that an attacker abuses to download payloads, execute code, or evade detection without introducing new executables. A more specific term within the broader LOLBAS category.

A unique hardware identifier assigned to network interfaces.

An attack against network switches that floods the MAC address table with fake MAC addresses, causing the switch to operate as a hub and enabling t...

A field concerned with designing and developing artificial intelligence algorithms for automated knowledge discovery and innovation by information ...

A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute, re...

A small application program that is automatically downloaded and executed and that performs an unauthorized function on an information system.

Program code intended to perform an unauthorized function or process that will have adverse impact on the confidentiality, integrity, or availabili...

Hardware, firmware, or software that is intentionally included or inserted in a system to perform an unauthorized function or process that will hav...

a malicious attack that involves injecting harmful code into legitimate online advertising networks

Software that compromises the operation of a system by performing an unauthorized function or process.

The process of studying malware behavior, capabilities, and origin through static analysis (examining code) and dynamic analysis (executing in a sa...

An isolated virtual environment used to safely execute and analyze suspicious files or URLs without risking infection of production systems.

An attack where the attacker intercepts communications between two parties to eavesdrop or modify data without their knowledge.

An attack where the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly.

A cybersecurity service that provides organizations with threat monitoring, detection, and response capabilities through a combination of technolog...

A firewall service operated and maintained by a managed security service provider, including rule management, monitoring, and incident response.

A third-party company that provides outsourced monitoring and management of security devices and systems.

A third-party company that remotely manages a customer's IT infrastructure and end-user systems.

An access control model where the operating system constrains the ability of a subject to access or perform operations on objects based on security...

A framework for assessing the sophistication of an organization's security capabilities.

A cryptographic hash function that produces a 128-bit hash value.

The average time it takes to discover a security incident after it occurs.

The average time it takes to contain and remediate a security incident after detection.

A hardware vulnerability affecting Intel processors that allows unauthorized reading of kernel memory from user space, potentially exposing sensiti...

Forensic analysis of a system's RAM to recover artifacts, running processes, and evidence of malware that may not appear on disk.

Data that describes other data, including file properties, communication headers, and geolocation information.

Malware that rewrites its entire code structure with each iteration, creating functionally equivalent but structurally different variants.

A shared, immersive, persistent, 3D virtual space where humans experience life in ways they could not in the physical world

A network security technique that creates fine-grained security zones within data centers or cloud environments, applying policies to individual wo...

An OWASP Top 10:2025 category covering vulnerabilities that arise from improper error handling, failing open, logical errors, and abnormal condition processing. Encompasses 24 CWEs related to how applications respond to unexpected states.

An open-source threat intelligence platform designed to collect, store, correlate, and share indicators of compromise and structured threat intelligence across organizations and communities. Supports STIX and other interoperability standards.

The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.

a man-in-the-middle attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who belie...

A globally accessible knowledge base of adversary tactics and techniques derived from real-world observations.

A knowledge graph of defensive cybersecurity countermeasures and their relationships to offensive techniques.

Software that allows IT administrators to control, secure, and enforce policies on smartphones, tablets, and other endpoints.

Malware specifically designed to compromise mobile devices like smartphones and tablets, often disguised as legitimate applications.

An attack that introduces malicious data into training datasets to compromise ML model behavior.

The presentation of a dynamic attack surface, increasing an adversary's work factor necessary to probe, attack, or maintain presence in a cyber tar...

A security mechanism that requires users to provide two or more verification factors before granting access.

A software architecture where a single instance serves multiple customers (tenants) with logical data separation.

An attack that uses multiple methods simultaneously or sequentially to compromise a target.

A security solution that restricts access to a network based on the identity and security posture of the connecting device, enforcing security poli...

A NIST public-private partnership that enables the creation of practical cybersecurity solutions for specific industries or broad, cross-sector tec...

A network protocol for collecting IP traffic information and monitoring network flow.

A security system that enforces policies for network device access based on device identity, compliance status, and authorization level.

A method of remapping one IP address space to another by modifying network address information in packet headers.

A security tool that monitors network traffic and behavior for advanced threats, lateral movement, and data exfiltration that traditional tools may...

The capture, recording, and analysis of network traffic to discover the source of security incidents.

An intrusion detection system that monitors network traffic for suspicious patterns.

The ability of a network to: (1) provide continuous operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damag...

The practice of protecting computer networks from threats through hardware, software, and procedural measures.

The practice of dividing a network into separate segments or subnets with controlled access between them.

In the NICE Framework, cybersecurity work where a person: Installs, configures, tests, operates, maintains, and manages networks and their firewall...

A hardware device placed on a network to passively capture full-duplex traffic without disrupting the network.

The process of intercepting, recording, and analyzing network traffic to detect threats, characterize anomalies, and identify suspicious activity.

The emerging field that studies how the brain relates to performance in everyday settings and at work, integrating neuroscience and ergonomics to d...

Neuromorphic computing is a method of computing that uses artificial neurons to mimic the human brain's structure and function.

relational database system that bridges the gap between SQL and NoSQL.

A firewall that combines traditional firewall capabilities with advanced features including application awareness, intrusion prevention, and cloud-...

An intrusion detection system that monitors network traffic for suspicious activity and known attack patterns, analyzing packets as they traverse n...

A set of guidelines, standards, and practices for managing cybersecurity risks developed by the National Institute of Standards and Technology.

Security requirements for protecting controlled unclassified information (CUI) in nonfederal information systems.

A specialized publication providing recommendations for security controls for federal information systems.

Any digital identity — such as service accounts, API keys, OAuth tokens, bots, or workload identities — that authenticates and operates autonomously w...

A security property ensuring that a user cannot deny having performed an action.

A number used once in a cryptographic communication to prevent replay attacks.

a person who is inexperienced in a particular sphere or activity, especially as related to computing

A legacy Microsoft authentication protocol suite.

An open-source vulnerability scanner by ProjectDiscovery that uses YAML-based templates for automated, community-driven scanning of web applications, ...

An open authorization framework that allows users to authorize third-party applications to access their resources without sharing passwords.

The deliberate act of making code or data difficult to understand or analyze.

A passive information system-related entity containing or receiving information.

An open-source schema framework for normalizing security event data across different security tools and vendors, enabling better data sharing and c...

the proactive approach to securing networks and systems from attacks by actively seeking out vulnerabilities and weaknesses

Intelligence gathered from publicly available sources such as social media, news, government records, and academic publications.

An identity layer built on top of OAuth 2.0 that provides user authentication and profile information.

An extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker's methodology, or oth...

A NICE Framework category consisting of specialty areas responsible for providing the support, administration, and maintenance necessary to ensure ...

A 2026 FBI court-authorized law enforcement operation that disrupted Russian APT28 DNS hijacking infrastructure by performing remote DNS resets on tho...

An action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles,...

Hardware and software that detects or causes changes through direct monitoring and control of physical devices, processes, and events in industrial...

The hardware and software systems used to operate industrial control devices.

A vulnerability that allows attackers to execute arbitrary operating system commands through vulnerable application input.

Intelligence collected from publicly available sources including social media, websites, public records, and technical data.

A technique that uses external callback servers to detect blind vulnerabilities by triggering out-of-band interactions (DNS, HTTP) from t...

A person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization ...

an undesirable machine learning behavior that occurs when the machine learning model gives accurate predictions for training data but not for new data

A NICE Framework category consisting of specialty areas providing leadership, management, direction, and/or development and advocacy so that all in...

A nonprofit foundation working to improve the security of software.

A list of the ten most critical web application security vulnerabilities compiled by the Open Worldwide Application Security Project.

a cloud computing model where a third-party provider delivers hardware and software tools to users over the internet

Security measures for protecting software package repositories (npm, PyPI, Maven) from malicious uploads and account compromise.

The interception and recording of network packets for analysis.

The practice of intercepting and logging network traffic.

An attack technique that uses stolen password hashes to authenticate without knowing the actual password.

An attack technique that uses stolen Kerberos tickets to authenticate to services without needing the account password.

An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system, but does not attempt...

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

A software application that generates, stores, and manages complex unique passwords for multiple accounts.

An attack that uses a few common passwords against many user accounts to avoid triggering account lockouts.

an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret

Authentication methods that do not rely on passwords, such as biometrics, hardware keys, or push notifications.

The process of developing, testing, and deploying security patches to fix vulnerabilities.

A vulnerability that allows attackers to access files and directories outside the intended scope by using path sequences like "../" or "..\".

The component of malware that performs the malicious action, such as data theft, encryption, or system destruction.

A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secur...

A security standard for organizations handling credit card information.

A colloquial term for penetration test or penetration testing.

A formal document detailing the findings, methodology, and recommendations from a penetration test.

An authorized, controlled security test where experts simulate real attacks to identify exploitable vulnerabilities and assess security controls.

An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or informat...

An information security expert who performs penetration tests

A cryptographic property where compromise of long-term keys does not affect the security of past sessions.

Techniques used by attackers to maintain access to a compromised system across reboots and credential changes.

The information that permits the identity of an individual to be directly or indirectly inferred.

A model where cybercriminals offer pre-packaged phishing tools and resources, like malicious email templates, landing pages, and hosting, to others...

An attack that redirects website traffic to a fraudulent site by poisoning DNS servers or modifying the hosts file.

A social engineering attack that uses fraudulent emails, messages, or websites to trick users into divulging sensitive information or downloading m...

A package of tools and templates that allows low-skill attackers to easily create and deploy phishing campaigns.

A controlled exercise that sends simulated phishing emails to employees to test security awareness and train them to recognize and report phishing ...

an identification card issued by a federal agency that contains a computer chip, which allows it to receive, store, recall, and send information in...

A technique where an attacker uses a compromised system as a stepping stone to access other systems in the network.

A technique where an attacker uses a compromised system as a launching point to attack other systems on the same network that are not directly acce...

A framework of hardware, software, policies, and procedures used to create, manage, distribute, and revoke digital certificates for secure electron...

Unencrypted information.

A cloud service model providing a platform for developing, testing, and deploying applications.

A documented set of procedures and response steps for handling specific types of security incidents.

The practice of defining security, compliance, and operational policies in machine-readable code that can be version-controlled, tested, and automatically enforced across infrastructure and CI/CD pipelines. Commonly implemented with tools like Open Policy Agent (OPA).

Malware that changes its code and signature while maintaining functionality, evading signature-based detection.

The technique of probing a host for open ports to discover running services and potential vulnerabilities.

Activities performed after successfully exploiting a vulnerability, including privilege escalation, persistence, data collection, and lateral movem...

A meeting held after an incident to discuss what happened, what was handled well, and what could be improved.

Cryptographic algorithms designed to resist attacks from quantum computers.

Malicious use of Microsoft PowerShell for executing payloads, downloading malware, and performing post-exploitation activities.

An observable occurrence or sign that an attacker may be preparing to cause an incident.

The activities to build, sustain, and improve readiness capabilities to prevent, protect against, respond to, and recover from natural or manmade i...

A security philosophy that implements multiple layers of controls throughout an information system.

A security design principle that grants each module, process, or user the minimum authority needed to perform their function.

The right of individuals to control information about themselves and protection of personal data from unauthorized use.

An analysis of how personally identifiable information is collected, used, shared, and maintained.

A cloud infrastructure dedicated exclusively to a single organization, providing greater control and privacy than public clouds.

A cryptographic key that must be kept confidential and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.

The act of exploiting a vulnerability or misconfiguration to gain elevated access rights.

A security solution that manages and monitors access to privileged accounts and credentials.

A code injection technique where an attacker creates a process in a suspended state, replaces its code with malicious code, and then resumes execut...

An attack that manipulates LLM behavior by injecting malicious instructions into prompts.

A demonstration that a vulnerability can be exploited.

A NICE Framework category consisting of specialty areas responsible for the identification, analysis, and mitigation of threats to internal IT syst...

The process of examining network protocol behavior and communications to identify anomalies, vulnerabilities, or malicious activity.

A network intermediary that stands between clients and servers, forwarding requests and responses.

An intermediary server that separates end users from the websites they browse.

a malicious technique where an attacker gains control over a target's proxy server, allowing them to intercept and manipulate the targets internet ...

a hybrid solution that combines the breadth of automation with the depth of human assessment, while integrated with advanced vulnerability manageme...

A comprehensive framework for conducting authorized penetration tests, covering seven phases: pre-engagement, intelligence gathering, threat modeli...

A cryptographic key that may be widely published and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.

A branch of cryptography in which a cryptographic system or algorithms use two uniquely linked keys: a public key and a private key (a key pair).

A system for managing digital certificates and public keys.

A collaborative security approach where red team (offensive) and blue team (defensive) work together to improve security.

Security considerations for protecting systems against future quantum computers, including post-quantum cryptography and quantum-resistant algorithms.

The potential future risk that quantum computers could break current encryption algorithms, particularly RSA and ECC.

A method of securely distributing encryption keys using quantum mechanics principles.

a cybercrime business model in which ransomware developers sell ransomware code or malware to other hackers, called “affiliates,” who then use the ...

A security vulnerability that occurs when multiple processes access shared resources concurrently, and the final result depends on the timing of ex...

A networking protocol that provides centralized authentication, authorization, and accounting management for users connecting to a network service.

A precomputed table of hash values used for reversing cryptographic hash functions, primarily for cracking password hashes.

Malware that encrypts a victim's files or locks their system, demanding payment for decryption or restoration.

The process of communicating with ransomware operators to reduce payment demands, extend deadlines, or obtain proof of data deletion.

A cybercrime business model where ransomware operators lease their malware and infrastructure to affiliates in exchange for a share of ransom payme...

Unauthorized access gained through Remote Desktop Protocol, often via brute force attacks, credential stuffing, or exploiting unpatched vulnerabili...

The first phase of a cyber attack where the attacker gathers information about the target.

The activities after an incident or event to restore essential services and operations in the short and medium term and fully restore all capabilit...

The maximum acceptable amount of data loss measured in time.

The maximum acceptable time to restore a system or service after a disaster or disruption.

A group authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s cybersecurity posture.

A comprehensive, goal-oriented adversarial assessment that simulates real-world attacks.

An exercise, reflecting real-world conditions, that is conducted as a simulated attempt by an adversary to attack or exploit vulnerabilities in an ...

Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of ...

A type of cross-site scripting where the malicious script is reflected off a web server in the URL or form submission, executing in the victim's br...

The process of adhering to laws, regulations, guidelines, and specifications relevant to an organization's business operations and data handling pr...

The process of addressing and fixing identified security vulnerabilities or incidents.

Malware that provides unauthorized remote access and control of an infected system.

A vulnerability that allows an attacker to execute arbitrary code on a target machine or in a target process from a remote location.

Software used by IT providers to remotely manage client systems.

A technology that allows a program to interact with the internals of another program running on a different machine

An attack where valid data transmissions are captured and retransmitted to trick the receiver into unauthorized actions.

intentionally taking over the account of an owner or maintainer who hosts a repository

Security mechanisms that evaluate the trustworthiness of entities (IPs, domains, files) based on historical behavior and community intelligence to ...

The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.

The activities that address the short-term, direct effects of an incident and may also support short-term recovery.

A vulnerability disclosure model where researchers report findings privately to the vendor and allow time for a fix before public disclosure, balan...

The process of applying new threat intelligence indicators to historical data to identify previously undetected compromises or threat activity.

The process of analyzing software or hardware to understand its design, architecture, and functionality.

A type of shell where the target machine connects back to the attacker's machine, bypassing firewall rules that block incoming connections.

The potential for loss or damage calculated as the probability of a threat being exploited multiplied by the impact of exploitation.

The systematic examination of the components and characteristics of risk.

The amount and type of risk an organization is willing to accept in pursuit of its objectives.

A systematic process of identifying threats, vulnerabilities, and calculating risks to prioritize security investments.

The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable l...

The process of reducing risk through security controls, process improvements, or acceptance of remaining risk.

The process of assigning monetary values to cyber risks using frameworks like FAIR.

A document that records identified risks, their severity, likelihood, and the measures taken to mitigate them.

A structured approach to managing risks to data and information by which an organization selects and applies appropriate security controls in compl...

An unauthorized wireless access point installed on a network, either maliciously by an attacker or unknowingly by an employee.

An access control model that grants permissions based on user roles rather than individual identities.

A systematic investigation to identify the fundamental cause of a security incident rather than addressing only symptoms.

Malware that gains root or administrative access to a system and attempts to hide its presence from detection.

An asymmetric encryption algorithm that uses a pair of public and private keys.

A real-time operating system (RTOS) is an OS that guarantees real-time applications a certain capability within a specified deadline.

A USB device that appears as a keyboard to the target computer and rapidly types pre-programmed keystrokes to execute attacks.

A compiled set of procedures and operations that system administrators or security analysts follow to handle routine tasks or incident response sce...

A security technology that runs within an application to detect and prevent real-time attacks by analyzing application behavior and context.

Random data added to a password before hashing to ensure that the same password produces different hash values.

Adding random data to passwords before hashing to prevent rainbow table attacks.

A standard for exchanging authentication and authorization information between identity providers and service providers.

An isolated testing environment that mimics a real system to safely execute suspicious files and observe behavior without risking production systems.

A security mechanism that isolates running programs in a restricted environment to prevent them from affecting other parts of the system.

A formal inventory of software components, dependencies, and licenses used in an application.

Security measures protecting Supervisory Control and Data Acquisition systems used in industrial environments.

The process of probing a network or system to identify active hosts, open ports, running services, and potential vulnerabilities.

A suite of specifications for standardizing the format and nomenclature for communicating software flaw and security configuration information.

a cyberattack tactic that frightens people into visiting spoofed or infected websites or downloading malicious software (malware)

An open standard for automating the exchange of user identity information between identity domains or IT systems, simplifying user provisioning and...

a cloud-based method of outsourcing your cybersecurity

a software development methodology that places security concerns first in planning and development

a combination of the terms security and operations, is a methodology that IT managers implement to enhance the connection, collaboration and commun...

A cryptographic key that is used for both encryption and decryption, enabling the operation of a symmetric key cryptography scheme.

The practice of securely storing and controlling access to sensitive credentials such as API keys, passwords, certificates, and encryption keys in ...

The practice of securely storing, managing, and rotating sensitive credentials like API keys, passwords, and tokens.

The uncontrolled proliferation of credentials, API keys, tokens, and other secrets across code repositories, CI/CD pipelines, configuration files, and...

A cloud-delivered network architecture that converges SD-WAN, secure web gateway, CASB, firewall-as-a-service, and zero trust network access into a si...

A security standard that ensures a device boots using only software trusted by the manufacturer.

A software development process that integrates security activities at every phase, from requirements gathering through design, implementation, test...

A cryptographic network protocol for secure remote login, command execution, and file transfer.

A deprecated cryptographic protocol for securing communications over a network.

A NIST framework (SP 800-218) providing a set of fundamental, sound, and secure software development practices. Covers preparing the organization, protecting software, producing well-secured software, and responding to vulnerabilities.

A development methodology that integrates security practices throughout all phases of software development from design to deployment.

A NICE Framework category consisting of specialty areas concerned with conceptualizing, designing, and building secure IT systems, with responsibil...

The design and structure of an organization's security systems, policies, and processes.

An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider.

A systematic evaluation of an organization's security policies, procedures, and controls.

The use of information technology in place of manual processes for cyber incident response and management.

The process of educating users and employees about security risks, best practices, and their role in protecting the organization.

Educational programs designed to teach employees about cybersecurity threats and best practices.

A documented set of minimum security requirements that systems must meet.

An approach to software and system development that integrates security considerations from the beginning rather than as an afterthought.

A safeguard or countermeasure designed to protect the confidentiality, integrity, and availability of information.

An organizational environment where security is valued and integrated into decision-making and daily practices.

An event that potentially compromises the confidentiality, integrity, or availability of an information asset.

A platform that aggregates, correlates, and analyzes security logs and events from across an organization's IT infrastructure.

A centralized facility where security analysts monitor, detect, analyze, and respond to cybersecurity incidents using technology and processes.

A platform that automates security incident response by orchestrating tools and playbooks to detect, investigate, and respond to threats faster.

A formal document that defines an organization's security objectives, principles, and requirements.

The overall security status of an organization's networks, information, and systems based on resources, capabilities, and readiness to manage threats.

In the NICE Framework, cybersecurity work where a person: Manages information security (e.g., information security) implications within the organiz...

A security principle requiring that critical tasks be divided among multiple individuals to prevent fraud and errors.

A vulnerability that allows an attacker to induce the server-side application to make requests to unintended locations, potentially accessing inter...

A web application vulnerability that allows attackers to inject template code into server-side templating engines.

Security practices for protecting serverless computing environments and functions.

A commitment between a service provider and client that defines expected performance metrics including uptime, response time, and security incident...

A dedicated infrastructure layer for handling service-to-service communication in microservices architectures.

An attack that exploits a vulnerability in how web applications manage session identifiers, allowing an attacker to fixate a session ID and then hi...

An attack where an attacker steals or predicts a valid session token to impersonate a legitimate user.

A cryptographic hash function that produces a 256-bit hash value.

The unauthorized or unmonitored use of AI models, APIs, and tools within an organization, operating outside IT governance and security oversight. Shad...

Information technology systems and solutions used within an organization without explicit IT department approval.

A cloud security principle that divides security responsibilities between cloud providers and customers based on service model (IaaS, PaaS, SaaS).

A social engineering technique where an attacker observes a user's screen or keyboard to capture sensitive information such as passwords, PINs, or ...

A pattern in service mesh architecture where a proxy container runs alongside each application container to handle security, observability, and tra...

a security solution that helps organizations detect threats before they disrupt business

A generic signature format for describing detection patterns in log events.

A generic and open signature format for SIEM systems.

A recognizable, distinguishing pattern.

A forged Kerberos TGS (Ticket Granting Service) ticket created using a stolen service account hash, providing access to a specific service without ...

A Kerberos attack where an attacker forges a service ticket using a service account's password hash, gaining access to that specific service withou...

An authentication system that allows users to log in once and access multiple applications without reauthentication.

Comprehending information about the current and developing security posture and risks, based on information gathered, observation and analysis, and...

The illegal copying of information from the magnetic stripe of a credit or debit card.

an attack tool designed to take down a server by flooding it with incomplete HTTP requests, without using much of bandwidth

the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal inform...

The practice of capturing and analyzing network packets as they travel across a network.

An open-source network intrusion detection and prevention system capable of real-time traffic analysis and packet logging.

an intelligence hub for the company, gathering data from across the organization's networks, servers, endpoints and other digital assets and using ...

An audit standard that verifies service organizations meet security, availability, processing integrity, confidentiality, and privacy criteria.

the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes

an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.

A cloud service model delivering applications over the internet on a subscription basis.

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any...

In the NICE Framework, cybersecurity work where a person: Develops and writes/codes new (or modifies existing) computer applications, software, or ...

A comprehensive inventory of all components, libraries, and dependencies used in a software application.

An automated approach to identifying open-source components, licenses, and vulnerabilities in software applications.

A network architecture approach that enables centralized, programmatic network control by separating the control plane from the data plane.

An attack targeting the supply chain to compromise software before it reaches end users.

An OWASP Top 10:2025 category (evolved from Vulnerable and Outdated Components) that broadens scope to include unknown vulnerabilities introduced by third-party dependencies, compromised build pipelines, and integrity failures throughout the software supply chain.

A sophisticated supply chain attack discovered in December 2020 where threat actors compromised the SolarWinds Orion software update mechanism to d...

The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

A targeted phishing attack directed at specific individuals or organizations, using personalized information to increase the likelihood of success.

a malicious attack, spear phishing is a targeted form of phishing that uses personalized emails or messages to trick a specific individual or organ...

A class of hardware vulnerabilities that exploit speculative execution in modern processors to leak sensitive data.

An email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain.

the process where hackers familiarize themselves with their targets in order to obtain credentials based on their activity

A VPN configuration that routes some traffic through the VPN tunnel while allowing other traffic to directly access the internet.

Faking the sending address of a transmission to gain illegal [unauthorized] entry into a secure system.

Malware designed to collect information about users and their activities without their knowledge.

A code injection attack that inserts malicious SQL statements into input fields to manipulate database queries.

A digital document that binds a public key to an entity's identity and is used to establish secure HTTPS connections.

a practice of using public cloud storage resources to store your data

A detailed set of instructions for performing specific security tasks consistently and repeatably.

A firewall technology that monitors the full state of active network connections and makes decisions based on the context of the traffic, not just ...

The process of analyzing source code without executing it to identify potential security vulnerabilities, coding errors, and compliance issues.

An automated security testing approach that analyzes source code without executing it to identify vulnerabilities.

Malware that steals credentials, financial information, or personal data for unauthorized access or sale.

The practice of hiding secret data within ordinary files or messages to avoid detection.

A standardized XML language for describing cyber threat information, enabling organizations to share threat intelligence in a structured, machine-r...

A type of cross-site scripting where the malicious script is permanently stored on the target server and executed whenever a user views the affecte...

In the NICE Framework, cybersecurity work where a person: Applies knowledge of priorities to define an entity.

A symmetric encryption algorithm that encrypts plaintext one bit or byte at a time, typically faster than block ciphers.

An individual, process, or device causing information to flow among objects or a change to the system state.

A security feature that enables browsers to verify that resources fetched from CDNs or external sources have not been tampered with, using cryptogr...

A generic name for a computerized system that is capable of gathering and processing data and applying operational controls to geographically dispe...

A system of organizations, people, activities, information and resources, for creating and moving products including product components and/or serv...

An attack targeting a supply chain to compromise the primary target, affecting vendors, manufacturers, and distributors.

The process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring or controlling it to an acceptable lev...

An open-source intrusion detection and prevention engine that supports multi-threaded processing and multiple input methods.

the practice of monitoring computer networks and systems for threats, while surveillance is the act of observing them.

the physical opening where a data cable can be plugged in

a symbolic is a Linux/UNIX link that points to another file or folder on your computer, or a connected file system.

A branch of cryptography in which a cryptographic system or algorithms use the same secret key (a shared secret key).

An encryption method using the same key for both encryption and decryption.

A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt plaintext and decrypt cipherte...

A denial-of-service attack that exploits the TCP handshake by sending a flood of SYN requests without completing the handshake, exhausting server r...

A type of fraud using synthetic identities created with a mix of real and fake information to circumvent identity verification.

Responsible for the upkeep and maintenance of servers, networks, and other IT infrastructure.

In the NICE Framework, cybersecurity work where a person: Installs, configures, troubleshoots, and maintains server configurations (hardware and so...

The attribute of an information system when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthor...

A vulnerability in LLM applications where an attacker extracts the system prompt or hidden instructions through crafted inputs, potentially revealing sensitive business logic, security controls, or access credentials embedded in the prompt.

In the NICE Framework, cybersecurity work where a person: Works on the development phases of the systems development lifecycle.

In the NICE Framework, cybersecurity work where a person: Consults with customers to gather and evaluate functional requirements and translates the...

In the NICE Framework, cybersecurity work where a person: Conducts the integration/testing, operations, and maintenance of systems security.

In the NICE Framework, cybersecurity work where a person: Develops system concepts and works on the capabilities phases of the systems development ...

A simulated incident response exercise where team members discuss and respond to a hypothetical security scenario without actual systems.

The behaviors and patterns used by threat actors to conduct attacks, including attack methods (tactics), specific actions (techniques), and detaile...

A cyberspace environment that provides a user with confidence in its security, using automated mechanisms to ascertain security conditions and adju...

In the NICE Framework, cybersecurity work where a person: Applies current knowledge of one or more regions, countries, non-state entities, and/or t...

A protocol for exchanging cyber threat intelligence in a standard, automated manner.

The foundational communication protocol suite of the internet.

Intelligence gathered through technical means such as signals intelligence, imagery, and network analysis.

In the NICE Framework, cybersecurity work where a person: Conducts technology assessment and integration processes; provides and supports a prototy...

In the NICE Framework, cybersecurity work where a person: Develops and conducts tests of systems to evaluate compliance with specifications and req...

The process of assessing and managing security risks posed by vendors, partners, and service providers.

An adversary, capability, or vulnerability that could potentially cause harm to an organization or system.

An individual or group responsible for cyber attacks.

An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

The detailed evaluation of the characteristics of individual threats.

The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the poten...

A coordinated set of malicious activities conducted by one or more threat actors over a period of time in pursuit of a specific strategic objective, such as espionage, financial gain, or disruption. A core STIX 2.1 domain object linking intrusion sets, malware, and victims.

A continuous stream of threat intelligence data including indicators of compromise, malicious IPs, domains, and file hashes from external sources.

A proactive cybersecurity activity that involves searching networks and systems for evidence of ongoing attacks or indicators of compromise not det...

A technology solution that aggregates, correlates, and analyzes threat intelligence data from multiple sources to provide actionable security insig...

The coordinated exchange of threat information between organizations, government agencies, and security vendors to improve collective defense.

The overall view of current and emerging cyber threats facing an organization or industry.

A structured approach to identifying, quantifying, and addressing security risks in a system or application.

The complete set of possible security risk exposures including all hardware, software, network connections, and human factors that could be exploited.

the spectrum of possible cybersecurity threats

a general term encompassing all types of malicious software on computers and electronic devices

In access control, data that authenticates the identity of a client or a service and, together with a temporary encryption key (a session key), for...

An algorithm that generates a one-time password using the current time as a source of uniqueness.

A race condition vulnerability where a security check is performed, but the resource is modified before it is actually used.

a technique used in cybersecurity and digital forensics, where attackers modify the timestamps of files and directories on a computer system to hid...

A cryptographic protocol that provides end-to-end security for data sent between applications over the Internet.

A digital object that represents a user's authentication state and permissions.

The process of replacing sensitive data with non-sensitive placeholder tokens.

The process of examining network traffic patterns to identify anomalies, potential threats, or unauthorized communications.

A set of designations employing four colors (RED, AMBER, GREEN, and WHITE) used to ensure that sensitive information is shared with the correct aud...

Layer 4 of the OSI model responsible for end-to-end communication and data transfer between processes.

A cryptographic protocol that provides secure communication over the internet.

The initial assessment and prioritization of security incidents based on severity, impact, and urgency.

An evolution of ransomware tactics adding a third layer of pressure beyond encryption and data leak threats, such as DDoS attacks or contacting vic...

Malware disguised as legitimate software that performs malicious functions when installed.

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms...

To convert into a Trojan

A specialized chip on a device that stores RSA encryption keys specific to the host system for hardware authentication.

A form of MFA requiring exactly two factors for authentication.

A security control requiring two authorized individuals to perform critical actions, preventing a single person from compromising sensitive operati...

An attack that registers domain names similar to legitimate ones, exploiting users who mistype URLs to distribute malware or conduct phishing.

A privilege escalation technique that circumvents Windows User Account Control to execute code with elevated privileges without triggering the UAC con...

Any access that violates the stated security policy.

A vulnerability in LLM applications where insufficient controls on resource usage allow attackers to trigger excessive computation, memory, or API calls, leading to denial of service, cost explosion, or model degradation. Listed in the OWASP Top 10 for LLM Applications.

A network security appliance that combines multiple security functions including firewall, IDS/IPS, antivirus, VPN, and content filtering into a si...

A vulnerability where an application redirects users to attacker-controlled URLs without proper validation.

to provide someone, such as an employee, with more advanced skills through additional education and training

A security technology that restricts access to websites based on URL categories, reputation, or custom policies.

A security solution that uses machine learning to establish baseline behavior patterns for users and entities, detecting anomalies that may indicat...

Security technology that uses machine learning to analyze user behavior patterns and detect anomalies that may indicate compromised accounts or ins...

The process of assessing and managing security risks associated with third-party vendors and suppliers.

A technology that hosts desktop environments on a centralized server, streaming them to end users.

A software emulation of a physical computer that runs an operating system and applications.

A technology that creates an encrypted tunnel through the internet to securely connect remote users or sites to a private network.

creating virtual representations of servers, storage, networks, and other physical machines

Self-replicating malware that requires user action to propagate and infect other files or systems.

a hacking technique of defrauding target's over the phone, enticing them to divulge sensitive information

A logical subdivision of a network that groups devices regardless of physical location.

An attack that allows traffic from one VLAN to reach another without passing through a router, bypassing network segmentation.

An exploit that allows an attacker to break out of a virtual machine and interact with the host operating system, potentially compromising all othe...

A networking configuration that allows a VPN user to access both the corporate network and the public internet simultaneously through different rou...

A weakness in a system or application that could be exploited by an attacker.

A systematic examination of systems and applications to identify security vulnerabilities.

In the NICE Framework, cybersecurity work where a person: Conducts assessments of threats and vulnerabilities, determines deviations from acceptabl...

The process of reporting security vulnerabilities to vendors in accordance with responsible disclosure practices.

A continuous process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and software across an organization.

An automated tool that scans systems, networks, and applications for known security vulnerabilities, misconfigurations, and policy violations.

attackers searching for wireless networks with vulnerabilities while moving around an area in a moving vehicle

an interactive technique that immerses potential cyber incident responders in a simulated cyber scenario

A targeted attack strategy that compromises websites frequently visited by a specific group.

A cyber attack that compromises legitimate websites frequently visited by a target group, infecting them with malware to compromise users who visit...

A shortcoming or imperfection in software code, design, architecture, or deployment that, under proper conditions, could become a vulnerability or ...

a term borrowed from military doctrine that refers to the process of analyzing target vulnerabilities and matching them with specific cyber capabil...

an attacker creates malware or malicious payloads to use against the target by designing new forms of malware.

to develop an exploit against a vulnerability into an attack tool that can be deployed against a target

A specialized firewall that inspects HTTP/HTTPS traffic to block web application attacks such as SQL injection, XSS, and DDoS attacks.

A focused penetration test targeting web applications to identify vulnerabilities such as injection flaws, authentication bypass, and data exposure.

The automated extraction of data from websites.

A malicious script uploaded to a web server that provides remote access and command execution capabilities.

An attack where an attacker gains unauthorized access to a website and modifies its content.

A highly targeted phishing attack directed at senior executives or high-profile individuals.

A testing methodology where the tester has full knowledge of the target system's internal structure, source code, and architecture.

A group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.

a form of testing that is performed with knowledge of a target system's internals

A security approach that explicitly allows only approved entities (applications, IP addresses, email addresses) while blocking everything else by d...

a novel cybersecurity attack technique that weaponizes legitimate, public-facing Windows Domain Controllers (DCs) to form a powerful, stealthy dist...

Destructive malware designed to permanently destroy data on infected systems.

Destructive malware designed to permanently destroy data on infected systems by overwriting or corrupting files and disk structures.

A network device that monitors the radio spectrum for unauthorized access points and automatically takes countermeasures to protect the wireless ne...

Security measures for protecting wireless networks from unauthorized access and attacks.

An estimate of the effort or time needed by a potential adversary, with specified expertise and resources, to overcome a protective measure.

Self-replicating malware that spreads across networks and systems without user interaction.

a general category of services related to cloud computing and remote access

An attack that exploits vulnerable XML parsers by injecting malicious external entity declarations.

A pattern-matching tool and rule language used by security researchers and threat intelligence analysts to identify and classify malware samples and malicious artifacts based on textual or binary patterns. YARA rules are widely shared across threat intelligence communities for detection engineering.

A tool for identifying and classifying malware samples based on textual or binary patterns.

A security philosophy that no entity inside or outside the network should be automatically trusted.

A security model that assumes no user or system is inherently trustworthy and requires verification for every access request, regardless of locatio...

A security approach that verifies every access request and provides least-privilege access to specific resources, regardless of location or network.

A previously unknown software vulnerability that has no available patch at the time of discovery.

Malware or attack that exploits a previously unknown vulnerability before a patch is available.

A previously unknown security vulnerability with no available patch.

A critical vulnerability (CVE-2020-1472) in Microsoft's Netlogon protocol allowing an attacker to take over a domain controller by exploiting a cry...